Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2014-9493

Опубликовано: 15 дек. 2014
Источник: redhat
CVSS2: 5.5
EPSS Низкий

Описание

The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.2.2 and 2014.1.4 allows remote authenticated users to read or delete arbitrary files via a full pathname in a file: URL in the image location property.

It was discovered that an authenticated user could use a path traversal flaw in glance to download or delete any file on the glance server that is accessible to the glance process user. Note that only setups using the OpenStack Image V2 API were affected by this flaw.

Меры по смягчению последствий

diff --git a/etc/policy.json b/etc/policy.json index 325f00b..a797f12 100644 --- a/etc/policy.json +++ b/etc/policy.json @@ -13,9 +13,9 @@ "download_image": "", "upload_image": "",

  • "delete_image_location": "",
  • "get_image_location": "",
  • "set_image_location": "",
  • "delete_image_location": "role:admin",
  • "get_image_location": "role:admin",
  • "set_image_location": "role:admin", "add_member": "", "delete_member": "",

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux OpenStack Platform 6 (Juno)openstack-glanceAffected
OpenStack 4 for RHEL 6openstack-glanceFixedRHSA-2015:024619.02.2015
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6openstack-glanceFixedRHSA-2015:024619.02.2015
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7openstack-glanceFixedRHSA-2015:024619.02.2015

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-22
https://bugzilla.redhat.com/show_bug.cgi?id=1174474openstack-glance: unrestricted path traversal flaw

EPSS

Процентиль: 73%
0.0075
Низкий

5.5 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2014-9493

ubuntu
около 11 лет назад

The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.2.2 and 2014.1.4 allows remote authenticated users to read or delete arbitrary files via a full pathname in a file: URL in the image location property.

nvd логотип

CVE-2014-9493

nvd
около 11 лет назад

The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.2.2 and 2014.1.4 allows remote authenticated users to read or delete arbitrary files via a full pathname in a file: URL in the image location property.

debian логотип

CVE-2014-9493

debian
около 11 лет назад

The V2 API in OpenStack Image Registry and Delivery Service (Glance) b ...

github логотип

GHSA-jgr4-76hh-5p7q

github
больше 3 лет назад

The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.2.2 and 2014.1.4 allows remote authenticated users to read or delete arbitrary files via a full pathname in a file: URL in the image location property.

EPSS

Процентиль: 73%
0.0075
Низкий

5.5 Medium

CVSS2